Melt­down and Spec­tre FAQ

Brad Cha­cos and Michael Si­mon re­veal what you need to know

Mas­sive se­cu­rity vul­ner­a­bil­i­ties in mod­ern CPUS are forc­ing a re­design of the ker­nel soft­ware at the heart of all ma­jor op­er­at­ing sys­tems. Since the is­sues – dubbed Melt­down and Spec­tre – ex­ist in the CPU hard­ware it­self, Win­dows, Linux, An­droid, Macs, Chrome­books, and other op­er­at­ing sys­tems all need to pro­tect against it. And worse, it ap­pears that plug­ging the hole will neg­a­tively af­fect your PC’S per­for­mance.

Again, the CPU ex­ploits in play here are ex­tremely tech­ni­cal, but in a nut­shell, the ex­ploit al­lows ac­cess to your op­er­at­ing sys­tem’s sacro­sanct ker­nel mem­ory be­cause of how the pro­ces­sors han­dle ‘spec­u­la­tive ex­e­cu­tion’, which mod­ern chips per­form to in­crease per­for­mance. An at­tacker can ex­ploit th­ese CPU vul­ner­a­bil­i­ties to ex­pose sen­si­tive data in your pro­tected ker­nel mem­ory, in­clud­ing pass­words, cryp­to­graphic keys, per­sonal photos, emails, or any other data on your PC.

Melt­down is the more se­ri­ous ex­ploit, and the one that op­er­at­ing sys­tems are rush­ing to fix. It “breaks the most fun­da­men­tal iso­la­tion be­tween user ap­pli­ca­tions and the op­er­at­ing sys­tem,” ac­cord­ing to Google. This flaw most strongly af­fects In­tel pro­ces­sors be­cause of the ag­gres­sive way they han­dle spec­u­la­tive ex­e­cu­tion, though a few ARM cores are also sus­cep­ti­ble.

Spec­tre af­fects AMD and ARM pro­ces­sors as well as In­tel CPUS, which means mo­bile de­vices are at risk. It’s “harder to ex­ploit than Melt­down, but it is also harder to mit­i­gate,” Google says. There may be no hard­ware solution to Spec­tre, which “tricks other ap­pli­ca­tions into ac­cess­ing ar­bi­trary

lo­ca­tions in their mem­ory.” Soft­ware needs to be hard­ened to guard against it.

What’s a ker­nel?

The ker­nel in­side your op­er­at­ing sys­tem is ba­si­cally an in­vis­i­ble process that fa­cil­i­tates the way apps and func­tions work on your com­puter, talk­ing di­rectly to the hard­ware. It has com­plete ac­cess to your op­er­at­ing sys­tem, with the high­est pos­si­ble level of per­mis­sions. Stan­dard soft­ware has much more limited ac­cess.

How do I know if my Mac is at risk?

Short an­swer: it is. Prob­a­bly.

Google says “ef­fec­tively ev­ery” In­tel pro­ces­sor re­leased since 1995 is vul­ner­a­ble to Melt­down, re­gard­less of the op­er­at­ing sys­tem you are run­ning or whether you have a desk­top or lap­top. Chips from In­tel, AMD, and ARM are sus­cep­ti­ble to Spec­tre at­tacks, though AMD says its hard­ware has ‘near zero’ risk be­cause of the way its chip ar­chi­tec­ture is de­signed.

In­tel said re­cently, though, that the patches that it is is­su­ing – via firmware and op­er­at­ing sys­tem patches – “ren­der those sys­tems im­mune from both ex­ploits.” That’s a big claim from In­tel, and has yet to be con­firmed.

So if Melt­down’s a chip prob­lem, then In­tel needs to fix it?

Yes and no. While In­tel may ad­dress the fun­da­men­tal hard­ware prob­lem in fu­ture chips,

the fix for PCS in the wild needs to come from the op­er­at­ing sys­tem man­u­fac­turer, as a mi­crocode up­date alone won’t be able to prop­erly re­pair it. In­tel said on 4 Jan­uary that it had been aware of both vul­ner­a­bil­i­ties since June 2017, which gives you an idea of how se­ri­ously the com­put­ing ecosys­tem has taken both Spec­tre and Melt­down.

In­tel is also pub­lish­ing firmware up­dates for its pro­ces­sors. You’ll need to snag them from your PC, lap­top, or moth­er­board maker (such as HP or Gi­ga­byte) rather than In­tel it­self. In­tel’s sup­port page for the flaw links to firmware up­dates and in­for­ma­tion from the PC man­u­fac­tur­ers it works with. At the time of writ­ing, In­tel ex­pects to have re­leased firmware up­dates for 90 per­cent of pro­ces­sors re­leased in the past five years by 12

Jan­uary. The com­pany hasn’t an­nounced its plans for older CPUS like the ven­er­a­ble Core i7-2600k or pro­ces­sors from last decade.

So, what can you do?

Not much be­sides up­dat­ing your PC with Melt­down patches is­sued by op­er­at­ing sys­tem mak­ers. Since the is­sue is such a deeply tech­ni­cal one there isn’t any­thing users can do to mit­i­gate the po­ten­tial is­sue other than wait for a fix to ar­rive. Def­i­nitely make sure you’re run­ning se­cu­rity soft­ware in the mean­time – ad­vice that In­tel also stresses.

Do you know when a fix will come?

It’s al­ready here. Ap­ple qui­etly pro­tected against Melt­down in macos High Sierra 10.13.2, which re­leased on 6 De­cem­ber, ac­cord­ing to de­vel­oper Alex Ionescu. Ad­di­tional safe­guards will be found in macos 10.13.3, he says. Ker­nel patches are also avail­able for Linux.

So once I down­load the patch I’m good?

Well, the op­er­at­ing sys­tem patches will plug the risk of Melt­down, but you might not like the side ef­fects. While the fix will pre­vent the chip’s ker­nel from leak­ing mem­ory, it brings some un­for­tu­nate changes to the way the OS in­ter­acts with the pro­ces­sor. And that could lead to slow­downs.

More re­cent In­tel pro­ces­sors from the Haswell (4th-gen) era on­ward have a tech­nol­ogy called PCID (Process-con­text Iden­ti­fiers) en­abled and are said to suf­fer less of a per­for­mance hit. Plus, some ap­pli­ca­tions – most notably vir­tu­al­iza­tion tasks and data Cen­tre/cloud work­loads – are af­fected more than oth­ers. In­tel con­firmed that the per­for­mance loss will be de­pen­dent on work­load, and should not be sig­nif­i­cant for av­er­age home com­puter users.

Much, much less than In­tel chips. All mod­ern CPUS are vul­ner­a­ble to Spec­tre at­tacks, but AMD says that its CPUS have ‘near zero’ risk to one vari­ant due to the way they’re con­structed. The per­for­mance im­pact of Spec­tre patches are ex­pected to be ‘neg­li­gi­ble’.

There is “zero AMD vul­ner­a­bil­ity” to Melt­down thanks to chip de­sign, AMD says. If op­er­at­ing sys­tem patches ex­clude AMD CPUS from the new Melt­down re­stric­tions, the per­for­mance war be­tween In­tel’s chips and AMD’S new